Dax*_*cor 3 git gitlab docker git-crypt
我有一个包含加密文件的存储库,使用 git-crypt。我已将密钥导出到文件中。现在我使用 gitlab 上的默认 docker 镜像构建模板来构建我的镜像。管道工作得很好。我只是不知道如何在构建过程中“解锁”文件,以便图像具有可供使用的明文文件。管道构建如下所示:
docker-build:
# Use the official docker image.
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Default branch leaves tag empty (= latest tag)
# All other branches are tagged with the escaped branch name (commit ref slug)
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
else
tag=":$CI_COMMIT_REF_SLUG"
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
fi
echo $CI_REGISTRY_IMAGE${tag}
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- docker push "$CI_REGISTRY_IMAGE${tag}"
# Run this job in a branch where a Dockerfile exists
rules:
- if: $CI_COMMIT_BRANCH
exists:
- Dockerfile
我只是不确定解锁发生在何时何地。它发生在 Dockerfile 中还是在此构建过程中?我用谷歌搜索过,并认为这是一个常见问题,但到目前为止还没有。
预先感谢您提供的任何帮助或链接。
布拉德
I think the reason no one has answered because it is almost impossible to answer. There are so many permutations to how to use runners. So I will share my solution.
The thing I had to realize is that the OS image that runs the docker image doesn't have git-crypt installed in it. So that was my first task.
- apk add git-crypt
Now that the binary is in the building image I need to somehow get the unlock key into the image. Thankfully, gitlab has project variables that you can use in your builds. However, they do not currently have a way to upload a binary file, which the unlock key is. So what to do. Well you base64 encode it.
base64 binaryfile.key > baseecodeded.key
You can now paste the text with NO cr/lf into the gitlab project variables and make sure you set it to File not text. Then you can decode the variable back to a file and use it in your build.
- cat "$CRYPT_KEY" | base64 -d > key-file
- git-crypt unlock key-file
最终的.gitlab-ci.yml如下。我要做的一件事就是更改它以跳过创建文件..并将解码的变量直接通过管道传输到 git-crypt 解锁。
docker-build:
# Use the official docker image.
image: docker:latest
stage: build
tags:
- "docker"
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- apk add git-crypt
- cat "$CRYPT_KEY" | base64 -d > key-file
- git-crypt unlock key-file
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
fi
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- docker push "$CI_REGISTRY_IMAGE${tag}"
# Run this job in a branch where a Dockerfile exists
rules:
- if: "$CI_COMMIT_BRANCH =~ /^dev/"
when: never
- if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
exists:
- Dockerfile
| 归档时间: |
|
| 查看次数: |
2910 次 |
| 最近记录: |